Falco also distributes out-of-the-box rules that can be used to identify interesting/suspicious/notable events in Cloudtrail logs, including:
- Console logins that do not use multi-factor authentication
- Disabling multi-factor authentication for users
- Disabling encryption for S3 buckets.
Ways to read Cloudtrail Logs
The plugin can be configured to read log files from:
- A S3 bucket
- A SQS queue that passes along SNS notifications about new log files
- A local filesystem path
For more information on the open params syntax, see open params.
Terraform Module For Cloudtrail Prerequsites
In order to use the Cloutrail plugin, you must enable Cloudtrail logging for the account(s) you want to monitor. This must be done before using the plugin.
In addition, of the three options above, using an SQS queue provides the easiest-to-consume source of logs. With the SQS queue, the plugin can detect when the new log files are written and can automatically consume them. However, this also requires creating multiple AWS cloud resources, such as SQS queues, SNS topics/subscriptions, IAM policy documents, etc., outside of Falco, which involve multiple manual steps.
To make this process easier, we've created a Terraform module that automatically creates these resources.
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.